420 likes | 620 Views
OpenLDAP Directory Administration Standard Unix Services and LDAP. Table of Contents. The Directory Namespace An FTP/HTTP Combination User Authentication with Samba FreeRadius Resolving Hosts Central Printer Management. Table of Contents. The Directory Namespace An FTP/HTTP Combination
E N D
OpenLDAP Directory AdministrationStandard Unix Services and LDAP
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
The Directory Namespace • This chapter explores how standard Unix services can make use of our directory • We continue with the namespace developed in chapter 6 and 7 • We will eventually need to modify it dc=plainjoe,dc=org ou=group ou=people ou=services adminstrative groups and pisixGroups user accounts application data
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
An FTP/HTTP Combination • ProFTPD (http://www.proftpd.org/) + LDAP • Apache (http://www.apache.org/) + LDAP • Assume that ftp and web platform cannot make use of PAM or NSS • Schema: www.plainjoe.org ldap.plainjoe.org home directory and account information LDAP directory upload files to ~public_html http://www.plainjoe.org/~user
An FTP/HTTP Combination (cont.) ProFTPD • Comes with a mod_ldap module (not same as Apache's) • Compilation flag: --with-modules=mod_ldap • Listing built-in modules: $ proftpd -l Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c
An FTP/HTTP Combination (cont.) ProFTPD (cont.) • Sample start configuration: ServerType standalone DefaultServer on Port 21 Umask 022 User nobody Group nobody DefaultRoot ~/public_html # LDAP parameters will go in here <Directory /*> AllowOverwrite on </Directory>
An FTP/HTTP Combination (cont.) ProFTPD (cont.) • LDAP Configuration: LDAPDoAuth on “ou=people,dc=plainjoe,dc=org” LDAPServer ldap.plainjoe.org # By default, anonymous binds are used # LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo # as DN. Use password must be stored in clear {text} or {crypt} format) # LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never # requested. Then bind to LDAP server again using user's DN & password # entered) LDAPAuthBinds on # How to inform proftpd to resolve UIDs and GIDs when listing files ? LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org” LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org” # Default search filters of (&(uidNumber=UNIX uid) # (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid) # (objectclasses=posixGroup)) can be overriden via extra parameter
An FTP/HTTP Combination (cont.) ProFTPD LDAP Parameters
An FTP/HTTP Combination (cont.) ProFTPD LDAP Parameters (cont.)
An FTP/HTTP Combination (cont.) Apache • There is more than one LDAP module for Apache • We will use mod_ldap_userdir here • Searches LDAP directory for posixAccountentry with matching uid value • Building the module is not covered here • Configuration: LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so <IfModule mod_ldap_userdir.c> LDAPUserDirServer ldap.plainjoe.org LDAPUserDirSearchScope subtree LDAPUserDirBaseDN ou=people,dc=plainjoe,dc=org LDAPUserDir public_html </IfModule>
An FTP/HTTP Combination (cont.) Apache (cont.) Directives for mod_ldap_userdir
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
User Authentication with Samba • http://www.samba.org/ • Implements server portion of SMB/CIFS protocol (Server Message Block/Common Internet File System) • Full Samba coverage is not the scope of this course • To support challenge/response authentication mothods used by MS Windows clients, Samba requires a list of hashed passwords separate from the passwords in /etc/shadow, smbpasswd file: username:uid:LM_HASH:account_flags:timestamp • Disadvantages of smbpasswd for large sites: • Lookups are performed sequentially • Single smbpasswd file replicated to multipe servers is a clumsy solution (eg. uids/gids must be identical, etc.) • Format of smbpasswd file limits number of attributes (eg. location of user's roaming profile)
User Authentication with Samba (cont.) Configuring Samba • Covered here: Samba 2.2.7a (LDAP support must be enabled at compile time: --with-ldapsam) • Samba 3 LDAP support is different (more powerful) • sambaAccount object in LDAP directory • smb.conf file (partial): [global] netbios name = TASHTEGO workgroup = PEQUOD security = user encrypt passwords = yes ldap admin dn = “cn=smbadmin,ou=people,dc=plainjoe,dc=org” ldap server = ldap.plainjoe.org ldap ssl = start_tls ldap port = 389 ldap suffix = “ou=people,dc=plainjoe,dc=org” ldap filter = “(&(uid=%U)(objectclass=sambaAccount))” ...
User Authentication with Samba (cont.) smb.conf LDAP Parameters • Make sure the NTLM hashes are not retrievable by an anonymous user • Password for LDAP bind is not stored in smb.conf, but in the secrets.tdb file: # smbpasswd -w secret Setting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb
User Authentication with Samba (cont.) Configuring OpenLDAP • LDAP server must support the appropriate schema • sambaAccount schema, samba.schema • slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema
User Authentication with Samba (cont.) sambaAccount Object Class required attributes objectClass:sambaAccount uid: rid: cn: lmPassword: ntPassword: pwdLastSet: logonTime: logoffTime: kickoffTime: userWorkstations: primaryGroupID: domain: pwdCanChange: pwdMustChange: acctFlags: displayName: smbHome: homeDrive: scriptPath: profilePath: description: optional attributes
User Authentication with Samba (cont.) Access Control Rules • New access rules to prevent normal users from retrieving LanMan/NT password hashes # Previous ACLs access to attrs=userPassword by self write by * auth # Don't let users snoop Windows passwords access to attrs=lmPassword,ntPassword by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” write by * none # Allow smbadmin to add new entries and modify existing ones access to dn.subtree=”ou=people,dc=plainjoe,dc=org” by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” write by * read # Previous ACLs access to dn.subtree=”ou=group,dc=plainjoe,dc=org” by * read
User Authentication with Samba (cont.) The smbadmin Account • Since Samba will bind to LDAP using this account, the account must possess a userPassword attribute. However, it is not necessary to have a UID, so we can use the person structural object class • Corresponding LDIF: objectClass:person cn: sn: userPassword: telephoneNumber: seeAlso: description: required attributes optional attributes dn: cn=smbadmin,ou=people,dc=plainjoe,dc=org objectClass: person cn: smbadmin sn: smbadmin userPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj
User Authentication with Samba (cont.) Adding and Using a sambaAccount • Add user: • List user: # smbpasswd -a kristi -s testpass LDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries. Added user kristi dn: uid=kristi,ou=people,dc=plainjoe,dc=org objectClass: inetOrgperson objectClass: posixAccount objectClass: sambaAccount ... uid: kristi pwdLastSet: 1040186720 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 2570 primaryGroupID: 1201 lmPassword: ... ntPassword: ... acctFlags: [UX ]
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
FreeRadius • Not discussed in this course
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
Resolving Hosts • Most widespread mechanism for hostname resolution is DNS (Domain Name System) • LDAP is not really a replacement for a specialized directory service such as DNS • LDAP can be used as a back-end storage system for zone files • A patch for BIND9 exists: (http://www.vernaas.no/ldap/bind-sdb/)
Resolving Hosts (cont.) Overview LDAP search dc=plainjoe,dc=org ou=people Name query ou=hosts ou=group ou=services DNS zone (plainjoe.org) Directory
Resolving Hosts (cont.) How to Get It to Work ? • Copy ldap.c to bind source directory • Copy ldap.h to the include directory of BIND source tree • Edit bin/named/Makefile.in, add: • you may need to add the path to the LDAP include files and liraries to DDRIVER_INCLUDES and DDRIVER_LIBS • Edit bin/named/main.c and add the lines DDRIVER_OBJS = ldapdb.@*@ DDRIVER_SRCS = ldapdb.c DDRIVER_LIBS = -lldap -llber #include <xxdb.h> #include <ldapdb.h> xxdb_init(); ldapdb_init(); xxdb_clear(); ldapdb_clear();
Resolving Hosts (cont.) How to Get It to Work ? (cont.) • Given the following zone file: plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. ( 3 ; serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day ; Name servers plainjoe.org. IN NS dns1.plainjoe.org. ; Addresses for local printers localhost.plainjoe.org IN A 127.0.0.1 dns1.plainjoe.org. IN A 192.168.1.10 ldap.plainjoe.org. IN A 192.168.1.70 ahab.plainjoe.org. IN A 192.168.1.80
Resolving Hosts (cont.) How to Get It to Work ? (cont.) • There is a structural dNSZone object class that allows you to store DNS records in the directory objectClass:dNSZone zoneName: relativeDomainName: DNSTTL: DNSClass: ARecord: MDRecord: PTRRecord: MXRecord: NSRecord: SOARecord: CNAMERecord: NAPTRRecord: KXRecord: DNAMERecord: HINFORecord: MINFORecord: TXTRecord: SIGRecord: KEYRecord: AAAARecord: LOCRecord: NXTRecord: SRVRecord: CERTRecord: A6Record: required attributes optional attributes
Resolving Hosts (cont.) How to Get It to Work ? (cont.) • LDIF entry for A record for host ahab.plainjoe.org: • Next step is to tell named service about the LDAP database: • Note: zone2ldap tool included in BIND distribution (or Venaas' web site) dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=org aRecord: 192.168.1.80 objectClass: dNSZone relativeDomainName: ahab dNSTTL: 86400 zoneName: plainjoe.org zone “plainjoe.org” in { type master; database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org 172800”; }
Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management
Central Printer Management • Network printers are devices associated with entries in DNS and possess attributes used to support a non-DNS application • Next step: design directory-based solution for managing printing configuration information: • Adding printers • Deploying printers • Retiring printers • See namespace on next slide
Central Printer Management (cont.) LDAP Namespace for Directory-based Storage of Printer Configuration Data dc=plainjoe,dc=org ou=hosts ou=printers ou=services ou=people ou=group ou=location host DNS configuration ou=config ou=floor-1 ou=global printer configuration data common printers printer groups
Central Printer Management (cont.) The Namespace • The config OU sits at the root of the actual configuration tree • Each printer has an entry (name, max print size job, ...) • Also contains DNS information • ou=config,ou=printers,dc=plainjoe,dc=org entry acts as base suffix for the lp.plainjoe.org DNS zoneused by BIND9 • If an administrator removes a printer's entry, it is immediately removed from DNS as well • Printers listed below ou=global entry should be available to all clients on the network • ou=location tree has a similar function to the global tree • Holder for another group of organizational units • Each OU represents a group of printers • Big difficulty = deciding on acceptable schema for representing printer capabilities and data
Central Printer Management (cont.) The Namespace (cont.) • There is currently no standardized printer schema • Closest: draft-fleming-ldap-printer-schema-XX.txt • See also “Network Printing” from O'Reilly • Some additional object classes and attributes needed to generate printcap entries for LPD and LPRng • Problem: dNSZone and printerService objects are both structural classes • Fortunately, BIND9 LDAP lookups do not use the objectClass • Use extensibleObject class in place of dNSZone • Other solution would be to define a new auxiliary object class with all the attributes contained in a dNSZone object
Central Printer Management (cont.) Object Classes for Printing objectClass:printerAbstract printer-name: printer-natural-language-configured: printer-location: printer-info: printer-more-info: printer-make-and-model: printer-multiple-document-jobs-supported: printer-charset-configured: printer-charset-supported: printer-generated-natural-language-supported: printer-document-format-supported: printer-color-supported: printer-compression-supported: printer-pages-per-minute: printer-pages-per-minute-color: printer-finishings-supported: printer-number-up-supported: printer-sides-supported: printer-media-supported: printer-media-local-supported: printer-resolution-supported: printer-print-quality-supported: printer-job-priority-supported: printer-copies-supported: printer-job-k-octets-supported: printer-current-operator: printer-service-person: printer-delivery-orientation-supported: printer-stacking-order-supported: printer-output-features-supported: objectClass:printerLRP printer-name: printer-aliases: required objectClass:nprinterPortPrinterInfo nprintDeviceName: nprintDeviceFlags: nprintFilter: objectClass:nprintNetworkPrinterInfo nprintDNSName: nprintHardwareQueueName: nprintQueuePort: objectClass:printerService printer-uri: printer-xri-supported: optional parent
Central Printer Management (cont.) Example Networked Printer Configuration Example Non-networked Printer Configuration dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org aRecord: 192.168.1.220 printer-name: hp2100 nprintHarwareQueue: raw printer-uri: lpr://hp2100 relativedomainName: hp2100 objectClass: printerService objectClass: nprintNetworkPrinterInfo objectClass: extensibleObject printer-job-k-octets-supported: 10000 zoneName: lp.plainjoe.org No nprintDNSName attribute: can be determined from relativeDomainName and zoneName attributes dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=org printer-name: bjc240 nprintHarwareQueue: raw printer-uri: lpr://bjc240 objectClass: printerService objectClass: printerLPR objectClass: nprintPortPrinterInfo nprintDeviceName: /dev/lp0 printer-aliases: canon
Central Printer Management (cont.) More Configuration ... • Entries below ou=global and ou=location contain only a printer's name, eg. • nprintHostPrinter AUXILIARY object class allows to extend existing entry for a network host to define membership in a printing group dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=org printer-name: hp2100 objectClass: printerService dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=org printer-name: bitsink objectClass: printerService objectClass:nprintHostPrinter nprintPrinterName: nprintLocation: optional
Central Printer Management (cont.) More Configuration ... (cont.) • Entry for workstation queso.plainjoe.org: • generate_printcap.pl script dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=org aRecord: 192.168.1.74 nprintLocation: floor-1 objectClass: dNSZone objectClass: nprintHostPrinter relativeDomainName: queso dNSTTL: 86400 nprinterName: draft-printer zoneName: plainjoe.org
Central Printer Management (cont.) Printing Information and Entries for queso.plainjoe.org ou=hosts ou=printers ou=global ou=location relativeDomainName=queso relativeDomainName: queso nprintLocation: floor-1 nprintPrinterName: draft-printer ou=config ou=floor-1 printer-name:hp2100 printer-uri:lpr://hp2100 printer-uri:lpr://bjc240 printer-name:bitsink printer-uri:lpr://draft-printer printer-uri:lpr://bitsink
Central Printer Management (cont.) Resulting printcap File # printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfo hp2100:\ :sh:\ :mx#10000:\ :lf=/var/spool/lpd/hp2100/lpd-err:\ :sd=/var/spool/lpd/hp2100:\ :lp=/dev/null:\ :rm=hp2100.lp.plainjoe.org:\ :rp=raw: # printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfo bitsink:\ :sh:\ :mx#0:\ :lf=/var/spool/lpd/bitsink/lpd-err:\ :sd=/var/spool/lpd/bitsink:\ :lp=/dev/null:\ :rm=bitsink.lp.plainjoe.org:\ :rp=bitsink: # printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintPortPrinterInfo draft-printer:\ :sh:\ :mx#0:\ :lf=/var/spool/lpd/draft-printer/lpd-err:\ :sd=/var/spool/lpd/draft-printer:\ :lp=/dev/lp0:\ :sd=/var/spool/lpd/draft-printer:\ :if=/opt/printers/filters/hpif.sh: